Does jwt always uses same secret key for all the users?

0
votes

I was wondering, In subsequent request to server, client sends back the JWT token to server. And at server, server extract header and payload and some secret key which is already at the server, that way server reform the JWT and compare with the signature. So I was thinking how server identify which secret key to use to reform the JWT to test the incoming token from the client. Or it always uses the same secret key for all the clients? Or how where this green color secret comes from at the server? enter image description here

1
jwt
Generally yes, the normal operation is to use a single secret key for all users. The key is to keep your key secretslebetman
@slebetman So some malicious user able to heck secret key, he can get access to every one's account..conditionally he already have access to header an payload section...NoviceToDotNet
@NoviceToDotNet If magically a user can guess the secret key, Yes he can changes his permissions or forgeries another user identity, But it's not an easy task. You probably choose a long secret key that is impossible to guess and takes years to brute force.MrMoeinM
Just like Bitcoins, JWT tokens are based on digital signatures. And just like Bitcoins, the moment someone knows your secret key they can spend all your money. As I mentioned. The core idea that makes cryptocurrencies and JWT tokens safe is that you should keep your secret key secret - that means things like never committing them to your git repo (unless you never plan on working on the code with other people), making sure your secret key is good and unguessable etc.slebetman
... However, unlike bitcoins with JWT you can replace your secret key periodically but this forces all logged in users to be logged out. Generally though most websites never do this though you MUST make sure your server is safe behind layers of protection - permission of config files are set correctly, your OS is always updated, you server is behind a firewall, you don't expose ports unnecessarily, your app is proxied via hardened web servers like Nginx or Apache etc.slebetman

1 Answers

3
votes

All the scenarios I was faced with used a single secret key that usually read from a config file or environment variable, but it is not hard to use different secret keys for different users. JWT checks the integrity of the token and does not encrypt the token. So for example you can keep the hash of the secret key you are using for the token in the header section and when you receive the token read the header and find out which secret key you need to use.